Nonce issue

  • Resolved joy0114

    (@joy0114)


    1 year, 6 months ago

    Hi,

    I definitely have a problem with a nonce provided by a plugin named “Smart wishlist”.
    *** I excluded jquery.min.js for being deferred or delayed.

    ***The frontend.js of “Smart wishlist” is delayed is not delayed, but just deferred (as default policy) , and in this file, the nonce is called “woosw_vars.nonce”

    *** Nonce ESI contains: woosw_* private

    And with this, not immediately after a purge and a crawl, I’ve got a 403 error on /wp-admin/admin-ajax.php

    Payload is:
    action: woosw_get_data
    nonce: e71c8a603d

    Response is:
    -1

    Request call stack is:

    	send	@	jquery.min.js:2
ajax	@	jquery.min.js:2
(anonymous)	@	967f832……3262.js?ver=63262:2
e.<computed>	@	967f832……3262.js?ver=63262:2
ce.<computed>	@	jquery.min.js:2
woosw_get_data	@	3e7ce1b……d11.js?ver=4dd11:64
woosw_load_data	@	3e7ce1b……d11.js?ver=4dd11:63
(anonymous)	@	3e7ce1b……dd11.js?ver=4dd11:3
e	@	jquery.min.js:2
t	@	jquery.min.js:2
setTimeout (async)		
(anonymous)	@	jquery.min.js:2
c	@	jquery.min.js:2
fireWith	@	jquery.min.js:2
fire	@	jquery.min.js:2
c	@	jquery.min.js:2
fireWith	@	jquery.min.js:2
ready	@	jquery.min.js:2
P	@	jquery.min.js:2

    The issue appears at least 12h after a purge and new crawl. That’s why I thought it’s a nonce issue.

    My report number: NELTICKB
    Date: 09/12/2023 18:50:47

    Thanks for any ideas !
    Best regards.

    • This topic was modified 1 year, 6 months ago by joy0114.

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support qtwrk

    (@qtwrk)

    the nonce name may not be woosw_get_data

    please try do a text search over that plugin’s files with this as keyword and share the result

    Thread Starter joy0114

    (@joy0114)

    Hi Qtwrk,

    Thanks for your attention to my issue.

    frontend.js contains this:

    function woosw_get_data() {
        var data = {
            action: 'woosw_get_data',
            nonce: woosw_vars.nonce,
        };
        $.post(woosw_vars.ajax_url, data, function(response) {
            if (response) {
                if ($storage) {
                    sessionStorage.setItem('woosw_data_' + response.key, JSON.stringify(response))
                }
                if (response.fragments) {
                    woosw_refresh_fragments(response.fragments)
                }
                if (response.ids) {
                    woosw_refresh_buttons(response.ids);
                    woosw_refresh_ids(response.ids)
                }
                if (response.key && (key === null || key === undefined || key === '' || key !== response.key)) {
                    Cookies.set('woosw_key', response.key, {
                        expires: 7
                    })
                }
                $(document.body).trigger('woosw_data_refreshed', [response])
            }
        })
    }

    Just before, into this js file, this function is used in another function, as this:
    (at the very end of it)

    function woosw_load_data() {
    if ($storage) {
      try {
        var data = JSON.parse(sessionStorage.getItem('woosw_data_' + key));

        if (data.fragments) {
          woosw_refresh_fragments(data.fragments);
        }

        if (data.ids) {
          woosw_refresh_buttons(data.ids);
          woosw_refresh_ids(data.ids);
        }

        if (data.key && (key === null || key === undefined || key === '')) {
          Cookies.set('woosw_key', data.key, {expires: 7});
        }
      } catch (err) {
        woosw_get_data();
      }
    } else {
      woosw_get_data();
    }
  }

    That’s all for all js files.

    And wpc-smart-wishlist.php contains:

    // fragments
add_action( 'wp_ajax_woosw_get_data', [ $this, 'ajax_get_data' ] );
add_action( 'wp_ajax_nopriv_woosw_get_data', [ $this, 'ajax_get_data' ] );

    and

    function wcml_multi_currency( $ajax_actions ) {
			$ajax_actions[] = 'view_wishlist';
			$ajax_actions[] = 'wishlist_add';
			$ajax_actions[] = 'wishlist_remove';
			$ajax_actions[] = 'wishlist_load';
			$ajax_actions[] = 'woosw_get_data';

    I thought nonce was defined in function woosw_get_data() with “nonce: woosw_vars.nonce”

    By the way, message in browser console (provided in previous message), stops on this:
    woosw_get_data @ 3e7ce1b……d11.js?ver=4dd11:64
    >> hightlights this line:
    $.post(woosw_vars.ajax_url, data, function(response) { in woosw_get_data() function, at the beginning.

    And anyway, what I specified in ESI nonce (woosw_* private) should match woosw_get_data , no ?

    Thanks a lot for your advices.
    Best regards

    Plugin Support qtwrk

    (@qtwrk)

    to me it looks like nonce action , instead of nonce name , and please search specifically in PHP files, since its PHP code generates the nonce.

    I would expect something like wp_nonce_field or wp_create_nonce

    Thread Starter joy0114

    (@joy0114)

    Hi Qtwrk,

    Ok, the main php file contains:

    // localize
wp_localize_script( 'woosw-frontend', 'woosw_vars', [
'ajax_url' => admin_url( 'admin-ajax.php' ),
'nonce'    => wp_create_nonce( 'woosw-security' ),
...........
.....

    and several functions similar to this one (and called ajax_wishlist_load, ajax_add_note, ajax_manage_wishlists and so on…):

    function ajax_get_data() {
	check_ajax_referer( 'woosw-security', 'nonce' );
             $data = [
	             'key'       => self::get_key(),
	             'ids'       => self::get_ids(),
	             'fragments' => self::get_fragments(),
		    ];

        wp_send_json( $data );
			}

    Do I have to specify woosw-security into ESI >> Nonce ?

    I’m going to try this, anyway at worst, it doesn’t work, that’s all !
    Answer in at least 12 hours …

    Thank you so much for your help.
    Best regards

    Thread Starter joy0114

    (@joy0114)

    So, I set up woosw-security private into ESI >> Nonce

    It seems to work very well this way: no more 403 error with admin-ajax.php for the moment !
    Thank you Qtwrk, without your help and suggestion to check out php as well, I wouldn’t have thought of doing it… I was stuck on js files.

    Best regards

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Nonce issue’ is closed to new replies.